IT NEWS

Dozens of apps were removed from the Google Play Store after they were found to be harvesting the data of device owners. The code in question—a software development kit (SDK)—was used inside apps which were downloaded over 10 million times.

What happened?

A wide range of Android apps were found to have this particular SDK lurking. There’s no obvious connection between the apps besides the SDK, as they’re all from different sources and developers. A mobile powered speed camera radar. QR barcode scanners. Weather/clock widgets. Even a remote control PC mouse app. They all had this SDK running under the hood, doing things it shouldn’t have been. The only key point among them all is that they made use of something designed to help monetise their app.

It’s possible the app developers believed there was no issue with including the SDK in their apps. Indeed, there seems to be some confusion as to what, specifically, some developers thought the SDK was doing.

According to WSJ, one dev claimed they were told it was “collecting data on behalf of internet service providers”. These supposed ISPs were complemented by financial service/energy companies. Others claim to have signed non-disclosure agreements.

Google did not find these antics impressive, and swiftly removed many of the apps. The SDK is able to collect clipboard data, exact location, phone numbers, emails, and nearby devices. It can also scan other locations such as WhatsApp downloads.

Mapping out a person

You have to be very careful with visual clues to a person’s physical location, but also digital ones too. Stripping out GPS data from a photograph, or disabling geolocation on a social media portal. This can also work its way down to other areas, such as Bluetooth beacons in towns and department stores. Even Apple AirTags are now generating significant issues for people.

Even without physical stalker threats, you still need to know what’s going on inside the phone in your pocket. As the researchers note, whoever is collecting this information could link an email and mobile to GPS location data. This is very bad news for journalists working on sensitive stories. It’s also very bad in places where forms of political activism are not appreciated. In fact, it’s bad for everybody. Consider that your “not a big deal” is someone else’s “well that’s a disaster” on their personal threat model scale.

Back into the fold

Google is allowing removed apps back on the store for a second chance, assuming the SDK element has been removed. The BBC reports that the majority of apps have already returned. There is the question of whether or not some developers were up to no good. Perhaps some were totally unaware, maybe some saw harmless looking promotions for more accurate data collection and a bump in cash. Sadly, they may not have considered what, exactly, the SDK would be doing in return.

Is my device safe from this SDK?

Google hasn’t revealed how many more apps on the Play Store included the SDK. It’s very likely that all traces are now gone.

The age old advice of “the best way to keep your Android safe is to only download apps on the Play Store” may sound contradictory. However, it’s still the case that this is entirely accurate.

You’re much better off using the store than a third party download location. Simply hoping that it isn’t a scam from top to bottom won’t save you from a rogue install. Depending on device model, you may even have to tick the “allow installs from unknown sources” option to even use third party stores in the first place.

This could very well make things even more insecure in terms of your mobile device.

Keep applying those OS updates as they come along. Pay attention to reviews of apps before you download them. Take a look at some of the requested permissions at install time. If your device is capable of installing a trusted security tool, consider installing one of those too. All of this will help keep your device safe. While there’s never any guarantees, we’d be surprised if the Play Store gives the wheel back to this problematic and unwanted Android app addition.  Looks like it’s back to business as usual for the Play Store – for now, at least.

The post Apps removed from Google Play for harvesting user data appeared first on Malwarebytes Labs.

There are times when you would like a folder to be accessible by you alone. Financial information, personal documents, or work related files on your personal system sometimes need to be hidden from prying eyes. One of the ways to do this is to password protect the folder.

Windows

For the Windows section of this article we will answer a few frequently asked questions.

Can you put a password on a folder?

Well, Windows does not provide you with an option to simply password protect a folder, but it does provide you with some options that you can utilize to put a password on a folder.

In Windows you can encrypt a folder by following these instructions:

• Right-clicking it
• Select Properties from the menu.
• On the form that appears, click the General tab.
• On that tab click the Advanced button
• Select Encrypt content to secure data.
• Click OK.

An important downside to this method is that your Windows username and password will be used to encrypt and password protect the folder, so people logging in on the same account as you can still see the content.

It is also important to note that when the process completes, you’ll be prompted to back up your encryption key if you’ve never used the feature before. Click the recommended option on the notification and follow the prompts to make a note of your encryption key. You’ll need this information if you ever lose access to your encrypted files, so it’s important you take the time to back it up.

How do I password protect a folder in Windows 10?

For Windows versions later than Windows 7 there is also an option to send files to a compressed folder (a zip file) which you can password protect. This Send to option is usually faster than encrypting the content. But you will have to keep in mind that the option creates a duplicate, so you will need to delete the original once you’re satisfied the compressed version is complete and accessible.

How do I hide a folder?

Hiding folders is not an ideal solution, but we want to point out that it is available in Windows. It works like this:

• Right-click on the file or folder that you want to hide.
• Select Properties.
• Click the General tab
• Under the Attributes section, check Hidden.
• Click Apply.

Why is it not ideal? Anyone that has access to the system can check the option to Show hidden files, folders, and drives in the folder options.

Many advanced Windows users already have this option enabled, and you may forget to change the setting after you have accessed your hidden folder.

MacOS

You can password protect folder contents using macOS and Disk Utility, a built-in utility on your Mac. This method will also encrypt the content.

• Open Disk Utility on your Mac
• With Disk Utility open, select File from the menu bar
• Then choose New Image -> Image from Folder.
• Select the folder you want to protect with a password
• Choose your encryption level: 128-bit, or 256-bit AES encryption
• Enter and verify the password for your folder (After you type the password into both the Password and Verify text boxes make sure to uncheck Remember password in my keychain, otherwise anyone logged into your account will still be able to access the data.
• Give the folder a name if desired
• Under Image Format select read/write from the menu
• Select Save

This creates a disk image holding the contents of the folder in encrypted storage. So, you’ll need to delete the original folder after verifying the disk image is complete and accessible.

Another important thing to remember is that this method only creates a fairly small—and fixed—amount of free space on the disk image, so if you want to make changes you’ll be dealing with a limited capacity. If you want a disk image with unlimited capacity, you’d be better off creating a blank image, and choosing sparse bundle disk image as the image format. If you create a 200 MB sparse bundle disk image, you can copy a 1 GB file onto it and it’ll resize to fit. However, it will not decrease in size if you were to delete that 1 GB file.

Third party software

It is not our place to make recommendations about software you can use to achieve the goal of password protecting folders, but there are several third party software packages for both Windows and Macs that are very good at compressing files and folders and providing the resulting compressed files with a password. If they are any good you will not need to decompress the entire folder before you can look at an individual file.

Just be careful not to download any potentially unwanted programs (PUPs) or one that is bundled with PUPs or adware.

The post How to password protect a folder appeared first on Malwarebytes Labs.

Thanks to the Threat Intelligence team for their help with this article.

Conti, the infamous ransomware created by a group of Russian and Eastern European cybercriminals, has again made headlines after a hacking group used its leaked source code to create another variant of the ransomware and target Russian businesses.

The hacking group calls itself Network Battalion ’65 (@xxNB65), and it is highly motivated by Russia’s invasion of Ukraine.

NB65 has been breaching Russian entities and stealing and leaking their data online. Some of its targets include Continent Express (travel management company), Roscosmos (Russian space agency), Tensor (document management operator), Ufa Scientific Center of the Russian Academy of Science (part of a network of scientific research institutes), and VGTRK (state-owned TV and radio broadcaster). Expect the number of its victim organizations to increase, as the group says it won’t be stopping until the war stops.

NB65’s ransomware, composed of 66 percent of Conti’s code, behaves the same way as the original Conti variant but with slight yet noticeable changes. Last week, a sample was submitted to VirusTotal, allowing cybersecurity researchers to study it.

How it works

Once executed, this ransomware appends the.NB65 extension to encrypted files.

The ransomware creates the ransom note, R3ADM3.txt, a known IOC file of Conti. However, the note’s content has been changed to reflect NB65’s message to victim organizations: Blame Russian President Vladimir Putin for the cyberattack.

“By now it’s probably painfully apparent that your environment has been infected with ransomware. You can thank Conti for that.

We’ve modified the code in a way that will prevent you from decrypting it with their decryptors.

We’ve exfiltrated a significant amount of data including private emails, financial information, contacts, etc.

Now, if you wish to contact us in order to save your files from permanent encryption you can do so by emailing network_battalion_0065@{redacted}.

You have 3 days to establish contact. Failing to do so will result in that data remaining permanently encrypted.

While we have very little sympathy for the situation you find yourselves in right now, we will honor our agreement to restore your files across the affected environment once contact is established and payment is made. Until that time we will take no action. Be aware that we have compromised your entire network.

We’re watching you closely. Your President should not have commited war crimes. If you’re searching for someone to blame for your current situation look no further than Vladimir Putin.“

NB65’s ransom note contains details of what the group did to prevent victims from decrypting their files using Conti decryptors. There is also a contact email for victims to who want their files decrypted by the group. However, speaking to BleepingComputer, an NB65 representative said they don’t expect victims to reach out.

When BleepingComputer pressed for reasons for attacking Russian organizations, NB65 has this to say:

After Bucha we elected to target certain companies, that may be civilian owned, but still would have an impact on Russias[sic] ability to operate normally. The Russian popular support for Putin’s war crimes is overwhelming. From the very beginning we made it clear. We’re supporting Ukraine. We will honor our word. When Russia ceases all hostilities in Ukraine and ends this ridiculous war NB65 will stop attacking Russian internet facing assets and companies.

Until then, **** em.

We will not be hitting any targets outside of Russia. Groups like Conti and Sandworm, along with other Russian APTs have been hitting the west for years with ransomware, supply chain hits (Solarwinds or defense contractors)… We figured it was time for them to deal with that themselves.

Malwarebytes users are protected from this ransomware, and we detect NB65’s variant as Ransom.Conti.

The post Conti ransomware offshoot targets Russian organizations appeared first on Malwarebytes Labs.

The results of the MITRE Engenuity ATT&CK Evaluation of the Wizard Spider and Sandworm adversaries were officially released¹ last week. We are very proud of the Malwarebytes EDR results in the MITRE Engenuity test, which are the direct reflection of a relentless core EDR team and the learnings from participation in prior MITRE Engenuity testing rounds.

MITRE Engenuity provides the results in a structured format which allows for deeper understanding of the products being tested. Thanks to this level of reporting, we can see how well each product is prepared to detect, and ideally prevent, attacks by advanced adversaries.

The MITRE Engenuity data also allows anybody to determine the level of visibility and the level of analytics coverage of each EDR product tested. But it allows much more than that. Based on the data, anybody can also derive the level of configuration required for best detection, the level signal to noise ratio, the level of investigation needed to understand and act on alerts, and many more things.

As a summary of our analysis of the data so far, we believe that the MITRE Engenuity results back up our claims that Malwarebytes EDR:

1. Needs little or no need to customize configurations
2. Provides best analytics coverage, useful alerts, and high signal-to-noise ratio
3. Is effective at preventing advanced attacks

MITRE Engenuity ATT&CK Emulations 101

MITRE Engenuity replicates well known hacking attacks, by reconstructing the various steps of attacks on enterprise networks, from the initial compromise to the exfiltration of sensitive data and persistence. In the MITRE Engenuity Round 4 evaluation, the attacks replicated were those of the cybercrime groups Wizard Spider and Sandworm. Each attack step includes several sub-steps that go in-depth into how the attack is carried out. The higher the number of sub-steps identified by the security software, the greater the visibility of that attack step and thus the possibility for the product and a customer to identify and react to the attack.

Prior to the 4 days of intense testing, vendors are allowed to configure and deploy their products to their optimum settings. After the emulation is carried out by MITRE Engenuity on the victim machines, vendors need to show MITRE Engenuity how their product has performed against each sub-step of the attack. For each sub-step, vendors can showcase “No detection,” “Telemetry detection,” “General detection,” or higher quality detections such as MITRE Engenuity-mapped Tactic and Technique detections. MITRE Engenuity gathers details of every little step of the way during investigation and reporting of findings.

Overall raw visibility results

The MITRE Engenuity ATT&CK Evaluation of Wizard Spider and Sandworm involved 109 sub-steps altogether. The emulations which focus on the Windows platform account for most of the steps, i.e. 90 out of the 109 sub-steps are exclusive to Windows OS. The remaining 19 steps are carried out in the Linux platform. Vendors are evaluated based on the number of detections over the corresponding number of sub-steps for the platforms they participated in. For vendors who did not participate on the Linux emulation, the total number of sub-steps is 90. For vendors who participated in in the Linux emulation, the total number of sub-steps is 109.

Malwarebytes did not participate in the Linux test because our EDR product for Linux was not yet available during the MITRE Engenuity evaluation in October 2021. However, Malwarebytes EDR for Linux is available in beta today with similar detection capabilities as the Malwarebytes EDR for Windows agent.

The following “overall raw visibility” ratios are based on the corresponding number of sub-steps for each vendor. When reviewing the results or calculating scores, pay attention to the total number of sub-steps (90 or 109) to ensure accurate scores.

A very important note about Modifiers and “Configuration Changes”

During the evaluation vendors cannot change the configuration of the tested product, as this would have affected the accuracy of the results. However, MITRE Engenuity does allow configuration changes to be made to the EDR product if the vendor can provide better, higher quality details for a specific sub-step, or after a miss of a specific sub-step. Sub-steps which are detected by the product after a configuration change are marked with a “Config Change” modifier. These change modifiers allow us to better understand the limitations of each product to deal with attacks from advanced adversaries. These modifiers indicate which changes, tweaks, or manual detections the vendor added during the test in order to be able to detect a specific sub-step which was not detected to the vendor’s liking by the product the first time it was tested. Based on the MITRE Engenuity methodology²:

• The vendor is allowed to perform changes to the product such as obtaining telemetry from alternative data sources, which may not yet be readily available to the typical enterprise customer. These modifiers are labeled as “Config Change (Data Source)”.
• The vendor is allowed to create or provide a higher quality detection by modifying the detection logic and triggering new alerts. These modifiers are labeled as “Config Change (Detection Logic)”.
• The vendor is allowed to change the UI of the product to provide better mapping to MITRE Engenuity Tactics and Techniques. These modifiers are labeled as “Config Change (UX)”.
• The vendor and product may trigger an alert after a delayed period of time, typically because of a manual submission to a sandbox by the EDR operator, or from a Managed Detection and Response (MDR) team. These modifiers are labeled as “Delayed Detection”

Vendors are allowed to make use of Configuration Changes and Delayed Detections after the first pass of testing with the original config.

At Malwarebytes we believe any EDR product should strive to be easy to use out-of-the-box and without requiring advanced configuration, especially given the high demand and low supply of specialized IR personnel.

Overall raw visibility results without configuration changes

We wanted to get an interpretation of the data which would represent what an out-of-box experience would be for a typical customer. Therefore, in the following data analysis we discard all detections from any vendor which are the result of a Configuration Change. Config Change detections are not representative of the typical experience that a customer would have with the EDR product. These detections derive from the vendor itself re-configuring the product to detect something that wasn’t detected during initial MITRE Engenuity testing.

For the following graph, higher quality detections such as Technique are downgraded to Telemetry detections if they are the result of a “Config Change (UX)” or “(Detection Logic)”. Telemetry-only detections are discarded if there is an associated “Config Change (Data Source)” modifier.

Our parser³ is available to replicate this analysis of discarding Configuration Changes and Delayed Detections. If we discard Configuration Changes and Delayed Detections during the test, then the “overall raw visibility” results vary not so slightly:

The MITRE Engenuity Analytics Coverage—a focus on detection quality

The above approach which looks only at “overall raw visibility” is the quickest, although also probably the most incorrect way, to interpret the data. Looking only at “overall raw visibility” does not take into account aspects which are critical to understanding the quality of the EDR product being evaluated.

MITRE Engenuity provides a much more interesting and useful datapoint to determine EDR detection quality, which is “Analytics Coverage”. As defined by MITRE Engenuity, Analytics Coverage is “the ratio of sub-steps with detections enriched with analytics knowledge (e.g. at least one General, Tactic, or Technique detection category)”.

An Analytics Coverage index highlights which detections are higher quality detections which make it easier for the user or practitioner to act upon and to initiate response and remediation actions. By contrary, too many detections deriving from “Telemetry” events or delayed detections which were manually added later by the vendor are indicative of EDR solutions which require large, specialized teams to operate.We believe a quality EDR product should be quick to identify and highlight the root problem of each incident in an easy-to-understand manner which facilitates response and remediation. If we focus on the Analytics Coverage indicator of quality alerts for each vendor, the results vary considerably:

MITRE Engenuity results for Windows

The MITRE Engenuity test involved 109 steps altogether, of which 90 were executed in the Windows OS platform. In this section we will analyze the results of each vendor against the Windows attacks only.

We plot both the “Overall Raw Visibility” and “Analytics Coverage” datapoints from the above paragraphs into a quadrant to see where each EDR products’ capabilities fall within these dimensions.

Just like before, we discard detections which come from a Configuration Change or Delayed Detection due to these being considered “misses” by us at the time of the test, and not representative of the customer experience without a specialized and dedicated SOC.

Protection

While all EDR products should be able to DETECT, not every EDR product has the ability to PREVENT advanced attack tactics.

Prevention and real-time blocking of advanced attack tactics is a delicate matter which involves balancing effective real-time protection through advanced exploit mitigations, AI/ML, behavior monitoring, sandboxing, and heuristics on one side, and minimizing conflicts and the need for highly specialized configurations and tuning on the other side.

We are very glad and humbled to be amongst good company in this challenging test.

Summary

Malwarebytes is one of the very few companies during the MITRE Engenuity Round 4 Evaluation who did not need to make any Config Changes to trigger quality detections, and at the same time achieved some of the top scores in visibility and analytics. This points to Malwarebytes as one of the top EDR leaders.

We believe that the MITRE Engenuity Round 4 results are a true representation of the Malwarebytes EDR strengths as a better out-of-the-box solution:

1. Little or no need to customize highly specialized configurations
2. High quality alerts and signal-to-noise ratio
3. Effective not just at detecting, but also preventing advanced attacks

MITRE Engenuity does not offer its own interpretation or ranking of the test results. But if we were to apply our own interpretation of the results to a ranking methodology and framework similar to those used by testing organizations AV-Comparatives, MRG-Effitas, etc., it could look something like this:

* The ranking criteria could be stricter if instead of looking at e.g. “90%+ analytics coverage” we set the criteria of “90%+ Technique coverage”, as suggested⁴ by Josh Zelonis. We fully agree with Josh’s point of view that the market needs to evolve to using Technique detections as the most important metric.

** Vendors that achieve the CHALLENGERS criteria but who also achieve 80%+ protection rates get bumped to CONTENDERS since we believe that effective prevention is more cost-effective than detection.

*** Vendors shown are listed in order or higher Analytics Coverage. Not all vendors who participated in the MITRE Engenuity Round 4 evaluations are included in the ranking above. Those that didn’t participate in the Protection test and/or who achieved low analytics coverage or protection scores may not fit the ranking criteria and thresholds as defined above.

This post was authored by Bogdan Demidov, Marco Giuliani, and Pedro Bustamante.

The post Malwarebytes Evaluation of the MITRE ENGENUITY ATT&CK Round 4 Emulations  appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Why data protection and privacy are not the same, and why that matters: Lock and Code S03E09
• YouTube channels of Taylor Swift, Justin Bieber, Harry Styles, and other musicians compromised
• Successful operations against Russian Sandworm and Strontium groups targeting Ukraine revealed
• Don’t enter your recovery phrase! Phishers target Ledger crypto-wallet users
• Watch out for fake WhatsApp “New Incoming Voicemessage” emails
• Cash App breached by a former employee could affect millions
• Beware Ukraine-themed fundraising scams
• Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique
• CISA advises D-Link users to take vulnerable routers offline
• GitLab issues security updates; watch out for hard coded passwords
• 5 ways to spring clean your security
• “Free easter chocolate basket” is a social media scam after your personal details
• Update now! Zyxel patches critical firewall bypass vulnerability

Stay safe!

The post A week in security (April 4 – 10) appeared first on Malwarebytes Labs.

A credential-stealing Windows-based malware, Spyware.FFDroider, is after social media credentials and cookies, according to researchers at ThreatLabz.

The version analyzed by the researchers was packed with Aspack. The spyware is offered on download sites pretending to be installers for freeware and cracked versions of paid software. The analyzed version of Spyware.FFDroider disguises itself on victim’s machines to look like the instant messaging application “Telegram”. Several campaigns were found to push out this spyware, but all of them were easily connected by the malicious program embedded in the cracked versions of installers, and freeware.

Browsers

After checking the IP of the affected machine by querying the legitimate service at iplogger.org, Spyware.FFDroider starts its cookies and credentials stealing routine. It uses specific methods for each browser to exfiltrate the data stored in the target browsers:

• Google Chrome
• Mozilla Firefox
• Internet Explorer
• Microsoft Edge

The target websites it looks for are:

• www.facebook.com
• www.instagram.com
• www.amazon.ca/cn/eg/fr/de/in/it/co.jp/nl/pl/sa/sg/es/se/ae/co.uk/com/com.au/com.br/mx/tr
• www.all-access.wax.io
• www.ebay.com
• www.etsy.com
• www.twitter.com

The malware also plans to steal saved VPN/dial up credentials from the AppdataMicrosoftNetworkConnectionsPbkrasphone.pbk and Pbkrasphone.pbk phonebooks if present.

Social media

For Facebook and Instagram, the stealer has another trick up its sleeve. If the malware manages to grab cookies for facebook.com or instagram.com from any of the target browsers, the cookies are replayed on the social media platforms.

First, the malware checks whether it is able to authenticate using the stolen cookies. If the cookies are valid and provide proper authentication, it sends a GET /settings request using the Access Token to facebook.com along with the authenticated cookies so it can fetch the User Account settings of the compromised account.

Next, it checks whether the compromised account is a business account and has access to Facebook Ads Manager and fetches the following details using the stolen cookies by parsing the responses:

• Fetch Account Billing and Payment Information from the Facebook Ads Manager.
• Fetch the users’ Facebook pages and bookmarks.
• Enumerate the number of Facebook friends and other user related information.

Since all the stolen information is sent to a command and control (C&C) server, it is likely that this information will be leveraged later to run malicious advertisements from the victims’ account and use the compromised account’s payment method to spread the malware further.

In a very similar way, Spyware.FFDroider looks for valid session cookies for Instagram to exfiltrate personal information such as the email address, the Instagram userID, the saved password, and the phone number from the Instagram account edit webpage and send it to the C&C server.

Other functionality

Spyware.FFDroider creates an inbound whitelisting rule in the Windows Firewall to allow itself to communicate, which requires administrative privileges. This will enable normally disallowed connections to the affected system.

After stealing and sending the stolen details from the target browsers and websites to the C&C server, Spyware.FFDroider tries to upgrade itself by downloading other modules from an update server.

If the filename at the time of execution is renamed to test.exe then the malware goes into its debug state and pops up messages on every loop. It then prints out the stolen cookies and the results which are created to be sent to the C&C holding the information collected from each targeted browser for the target websites. The debug state is very likely what the malware authors used to check the malware’s functionality during development.

IOCs

Files and folders:

The malware creates a directory in %UserProfile%Documents named VlcpVideov1.01

In this folder it drops the file:

Install.exe

The malware is hosted online as:

vinmall880.exe

vinmall1.exe

lilay.exe

SHA256 hashes:

3596982adf10806e7128f8f64621ec7546f4c56e445010523a1a5a584254f786

7eb7bd960e43164184e41cdacf847394a5aa8b7bce357d65683bc641eef3381b

94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474

d7e81d5c26a9ff81d44ff842694b1a8732211e21ac32a471641c4277c1927ca5

All detected by Malwarebytes as Spyware.FFDroider

Subdomain:

download.studymathlive.com

IPs:

C2: http://152.32.228.19/seemorebty

Update server: http://186.2.171.17/seemorebtu/poe.php?e=<filename>

Registry key:

HKCUSoftwareffdroiderFFDroider

Stay safe, everyone!

The post Credential-stealing malware disguises itself as Telegram, targets social media users appeared first on Malwarebytes Labs.

Starting very soon, old and outdated apps on the Google Play Store will no longer be available to download. A major clearout is coming, and if you’re an app developer it may be time to overhaul your product or face Android-centric oblivion.

What’s happening?

Android makes use of APIs (application program interfaces) as a way of helping to figure out what runs where, as well as how apps work alongside security measures and other features.

What we have is a sliding scale for apps becoming increasingly outdated and unsupported. Lag behind too much, and you may have a problem.

In other words: do you own an old Android phone? You may find that newer versions of apps simply refuse to install. The older devices are essentially trying to play catch-up, with applications increasingly outrunning them. This is perfectly normal, as newer apps rely on more modern features and functionality that old Android OS versions simply cannot handle.

By the same token, old outdated apps are increasingly discouraged from running on newer devices. Android is tightening restrictions on old apps in order to keep users secure, via their target API level policy.

Current and future API restrictions

Android’s target API level is the previously mentioned sliding scale for applications. Google doesn’t want you running a bunch of very old and potentially insecure apps on your device. 

Current requirements expect new apps and updates to target an Android API level “within one year of the latest major Android OS version release”. As a result, any app which falls behind this level requirement can’t be published on Google Play. This is all about to change.

From November 1, as per the Android blog:

“Existing apps that don’t target an API level within two years of the latest major Android release version will not be available for discovery or installation for new users with devices running Android OS versions higher than apps’ target API level. As new Android OS versions launch in the future, the requirement window will adjust accordingly.“

The requirement for apps to focus on API levels inside of one year within the most recent OS has been for new apps only, up to this point. The changes coming in November broaden this out quite a bit. From that point on, all apps will be required to keep up with a Target API within two years of the most recent OS. New? Old? Already in the store? It no longer matters. You’ll have to play by the rules if you want to remain visible and updated.

According to Ars Technica, old apps already on the Google Play Store not targeting Android 11 and up will be hidden from store listings. Apps not targeting Android 12 and up will still be visible, but they won’t be able to update anymore.

All my apps gone?

Not exactly. It isn’t the case that all of these old apps will just vanish completely into the ether. Going back to the Android blog:

“Current users of older apps who have previously installed the app from Google Play will continue to be able to discover, re-install, and use the app on any device running any Android OS version that the app supports.“

Depending on your current mobile situation, you should in theory be able to reinstall apps you simply can’t do without. Your old apps will still work with your old phone. At some point though, you may simply have to move on to app pastures new as the future ultimately looks bleak for the abandoned and the no-longer-updated.

Playing the long game

Despite these fairly major changes in Android land, developers now have quite a bit of time to figure out what to do with their apps. We can safely assume anything not updated by the time two years rolls around is probably fine to be hidden from view.

This feels like a fairly flexible setup for devs to get their app affairs in order, especially given they can ask for a six month extension should they need more time for migration. The timer is most definitely ticking, but this is ultimately what’s best for keeping Android owner’s security and privacy at the forefront of Play Store activities.

The post Old Play Store apps served notice by upcoming API level changes appeared first on Malwarebytes Labs.

Security researchers at Cado Security, a cybersecurity forensics company, recently discovered the first publicly-known malware targeting Lambda, the serverless computing platform of Amazon Web Services (AWS).

Though Lambda has been around for less than ten years, serverless technology is considered relatively young, according to Matt Muir, one of Cado’s researchers. Because of this, security measures for such a technology is often overlooked.

This lack of oversight has now bore fruit.

The malware in question, dubbed “Denonia,” is a cryptominer, which is software that allows the mining of cryptocurrency on computers and servers. The malware’s name is inspired by the domain the threat actors behind the cryptominer communicate with.

A cryptominer may not be among the ranks of ransomware, worms, and general Trojans. Still, the possibility of them taking advantage of Lambda is already here; a Pandora’s Box that can no longer be sealed.

Denonia, realized

Denonia is a Go-based wrapper that contains a modified version of the popular, open-sourced cryptomining software, XMRig.

Though not inherently malicious, XMRig came into prominence after an increase in cryptojacking was recorded in mid-2017, most of which was attributed to XMRig activity maliciously mining Monero. Since then, it has gained the reputation of being the miner of choice of cryptojackers.

Upload dates of Denonia samples on VirusTotal—one was in February, and an earlier sample in January—suggest attacks may have already been going on for months.

Denonia uses a unique evasion technique around address resolution to hide its command and control (C2) domain and traffic, making it difficult to detect using typical measures while making communicating with other servers easier. We have yet to find the actors behind Denonia as they left behind little forensic clues.

Because of these, Cado researchers think the actors behind such attacks possess advanced cloud-specific knowledge to take on a complex infrastructure. Thankfully, this cryptominer has limited distribution.

It’s unknown how actors deploy Denonia, but the researchers suspect that they likely used stolen or leaked AWS access and secret keys, which has happened before. AWS confirmed that actors didn’t breach Lambda via a vulnerability, saying in a follow-up statement to VentureBeat: “the software described by the researcher does not exploit any weakness in Lambda or any other AWS service.”

“The software relies entirely on fraudulently obtained account credentials,” the statement continues. It also stresses that Denonia shouldn’t be considered malware “because it lacks the ability to gain unauthorized access to any system by itself.”

“What’s more, the researchers even admit that this software does not access Lambda — and that when run outside of Lambda in a standard Linux server environment, the software performed similarly.”

The researchers explained in their post how this is possible: “We suspect this is likely due to Lambda ‘serverless’ environments using Linux under the hood, so the malware believed it was being run in Lambda (after we manually set the required environment variables) despite being run in our sandbox.”

Can organizations protect against Denonia and other Lambda-focused attacks?

Lambda is becoming popular because its cheap to run and easier to maintain. Organizations only have to pay for its runtime, not a full server to run their applications. This is a huge money-saver, allowing organizations to allocate money they saved to other matters that may need more financial support.

When it comes to security, however, serverless environments have some catching up to do.

A good starting point for organizations is to secure root credentials and access keys. This is in accordance with AWS’s shared responsibility model, wherein AWS is responsible for taking care of and securing Lambda, but organizations are responsible for securing their own content and functions (programs or scripts) that run on Lambda.

• Refrain from using root access to perform daily tasks. Instead, use it only to (1) create an AWS IAM (Identity and Access Management) admin user account or (2) carry out access and account management tasks.
• Lock away your root access credentials.
• Use a strong AWS root account password. (We have a podcast about that!)
• Enable multi-factor authentication (MFA) on your AWS root account.
• If you have an access key for your AWS root account, delete it. If you must keep it, change the access key regularly.
• Never share your AWS root credentials or access key with anyone.
• Encrypt your data. AWS has an encryption solution you can use.
• Use TLS 1.2 or later to communicate with your AWS resources.

Amazon has more in-depth IAM, access key, and data protection best practices for further reading and consideration.

Stay safe!

The post Denonia cryptominer is first malware to target AWS Lambda appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence team continuously monitors the threat landscape to stay on top of existing and emerging attacks. In this March 2022 ransomware review, we go over some of the most successful ransomware incidents based on both open source and dark web intelligence.

The March data was consistent with the first two months of the year, and the most active ransomware gangs during this month continued to be LockBit, followed by Conti, with an increase in BlackCat (ALPHV), a suspected rebrand of the DarkSide & BlackMatter ransomware groups.

Ransomware Attacks by Gang

Ransomware Attacks by Country

Ransomware Attacks by Industry

Ransomware Mitigations

Source: IC3.gov

• Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
• Implement network segmentation, such that all machines on your network are not accessible from every other machine.
• Install and regularly update antivirus software on all hosts, and enable real-time detection.
• Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
• Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Use double authentication when logging into accounts or services.
• Ensure routine auditing is conducted for all accounts.
• Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

How Malwarebytes protects against ransomware

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The Rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

The post Ransomware: March 2022 review appeared first on Malwarebytes Labs.

There’s a mistake commonly made in the United States that a law that was passed to help people move their healthcare information to a new doctor or provider was actually passed to originally implement universal, wide-ranging privacy controls on that same type of information. This is the mixup with HIPAA—the Health Insurance Portability and Accountability Act—and while the mixup can be harmless most of the time, it can also show up in misunderstandings of other privacy concepts around the world.

Importantly, the mixup colors how we approach data protection, as a requirement and a set of rules, and privacy, as a right granted to certain sectors of our lives. In the European Union, this split is spelled out more clearly in their laws, but in the US, this split is still muddled—there are data protection laws in the United States that aim to achieve data privacy, and there is an entire realm of privacy law that was developed before our current understanding of data.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Gabriela Zanfir-Fortuna, the vice president for global privacy at Future of Privacy Forum, to finally clear up the air on these related but not interchangeable topics. As Zanfir-Fortuna explained in our conversation, data protection can achieve privacy, but it isn’t the only goal that data protection should care about.

“The challenge with data protection, though, is that it needs to balance all of the rights, and sometimes they’re competing rights. That’s challenging indeed. But it’s important to note that the ultimate purpose of data protection is not to achieve privacy at all costs.”

Gabriela Zanfir-Fortuna, vice president for global privacy at Future of Privacy Forum

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Why data protection and privacy are not the same, and why that matters: Lock and Code S03E09 appeared first on Malwarebytes Labs.